呃……就怕开了GPC...^_^

if (get_magic_quotes_gpc() == 0) { $HTTP_GET_VARS =addslashes_array($HTTP_GET_VARS); $HTTP_POST_VARS =addslashes_array($HTTP_POST_VARS); $HTTP_COOKIE_VARS =addslashes_array($HTTP_COOKIE_VARS); }

我犯了一个错误，sorry

这个貌似关了gpc也不能用%00截断 :)

不过可以用一个思路，比如在linux下，可以通过旁注拿个shell，然后写个main.php到/tmp目录下，然后包含之

Author :     Flyh4t
msn :     flyh4t@hotmail.com
team:     Wolves Security Team
site:        bbs.wolvez.org
Greet to : q1ur3n  puret_t  make0day  and all the members of Wolves Security Team
/***********************************************************/
Bug file : global.php
if (isset($HTTP_GET_VARS['l']) || isset($HTTP_POST_VARS['l'])) {
  $requested_l = (isset($HTTP_GET_VARS['l'])) ? trim($HTTP_GET_VARS['l']) : trim($HTTP_POST_VARS['l']);
  if ($requested_l != $config['language_dir'] && file_exists(ROOT_PATH.'lang/'.$requested_l.'/main.php')) {
    $l = $requested_l;
    $config['language_dir'] = $l;
  }
}

include_once(ROOT_PATH.'lang/'.$config['language_dir'].'/main.php');

/***********************************************************/
global.php is included by all the files of 4images,so it can be exploited through many files

/***********************************************************/